View on
Michael Robinton > Mail-SMTP-Honeypot-0.11 > Mail::SMTP::Honeypot



Annotate this POD

View/Report Bugs
Module Version: 0.11   Source  


Mail::SMTP::Honeypot -- Dummy mail server


  use Mail::SMTP::Honeypot;



Mail::SMTP::Honeypot is a perl module that appears to provide all the functionality of a standard SMTP server except that when the targeted command state is detected (default DATA), it terminates the connection with a temporary failure and the response:

    421 Service not available, closing transmission channel

The purpose of this module is to provide a spam sink on a tertiary MX host. The module daemon is run on an MX host with a very high priority number specified in it's DNS record. i.e.  IN MX 9999

Since many spammers target this mail server in the hope that its configuration and/or security is not as strong or well maintained as the primary mail host for a domain. In the off chance that a real message is sent to the server, the TEMPORARY failure code will simply make the sending host retry later -- probably with the lower priority numbered host. Meanwhile, the server target by the spam source has its resources consumed by honeypot.

Honeypot does not spawn children and holds only a small reference to each thread that it holds to a client, thus consuming minimal resources. It can produce logs useful in analyzing the spam traffic to your site. Using it with a detach in CONN mode is adequate for triggering a companion spam program such as Mail::SpamCannibal while consuming minimum host resources. At our site, we simply run honeypot on the same host as our secondary MX but on a different IP address.

Honeypot provides various levels of connection and transaction logging that can be set in the configuration.

A delay may be inserted between the receipt of each command and the response from the server daemon to slow down the sending client.


Edit the file to change or set the following:

  my $config = {

  # specify the directory for the pid file for this daemon
  # [required]
        piddir          => '/var/run',

  # deny at command state, one of:
  # defaults to DATA if not specified
  # [optional]
  #     deny            => 'DATA',

  # specify the local domain name, defaults to local hostname.
  # this is probably not what you want if you use virtual IP's
  # and have a real mail client on the same host. so...
  # specify the host 'answerback name' here.
  # [optional]
  #     hostname        => '',

  # specify the IP address to bind the listening port
  # defaults to ALL interfaces (INADDR_ANY)
  # [optional]
  #     ip_address      => '',

  # listen port -- default 25
  # this is useful for debugging purposes
  # [optional]
  #     port            => 25,

  ## NOTE:      see Concurrent Daemon Operation in the
  ##            documentation for setup where another
  ##            mail daemon is running on the same host.
  # specify the response delay after connect or upon
  # receipt of an smtp command from the client
  # NOTE:       if a response is not received
  #             from the client in this time
  #             period, the smptdeny daemon will
  #             issue a 421 response and disconnect
  # [optional] default 10 seconds
  #     delay           => 10,

  # syslog facility, one of:
  # You should not need to change this
  #     log_facility    => 'LOG_MAIL',

  # syslog log level or (none), one of:
  # NOTE:       the command line -d flag overrides
  #             this and sets the level to STDERR
  # [optional]
        syslog          => 'LOG_WARNING',

  # log verbosity
  #     0 connect only
  #     1 + To: & From:
  #     2 + bad commands
  #     3 + trace execution
  #     4 + deep trace with sub names
  # [optional]
        verbose         => 0,

  # DNS host, if you do not have a resolver
  # on your host or for debugging
  # default: as returned by your resolver for local dns
  # [optional]
  #     dnshost         => 'use.default',

  # DNS port, useful for debugging
  # [optional] default 53
  #     dnsport         => 53,

  # timeout for DNS PTR queries
  # [optional] default: use 'delay' above
  #     DNStimeout      => 10,

  # maximum number of connected clients
  # [optional] default 100
  #     maxthreads      => 100,

  # maximum number of commands per client
  # [optional] default 100
  #     maxcmds         => 100,

  # disconnect the remote after this much time
  # [optional] default 300 seconds
  #     disconnect      => 300,



Launch the daemon with the command: [-d] [start | stop | restart]

The '-d' flag, this overides the config settings and reports logging to STDERR

On some systems it may be necessary to wrap a shell script around if the path for perl is not in scope during boot.

  # shell script 'rc.honeypot'
  /path/to/ $*

A sample shell script is included in the distribution as rc.honeypot

NOTE: suggest you test your configuration as follows...

  Set:  verbose => 3,
        delay   => 5,

  ./rc.honeypot -d start

Connect to the daemon from a host not on the same subnet and watch the output from daemon to verify proper operation.

Correct the configuration values and ENJOY!

Standalone Operation

For operation on a host where Mail::SMTP::Honeypot is the only SMTP daemon, the default configuration will work for most installations.

Concurrent Daemon Operation

To operate Mail::SMTP::Honeypot concurrently with another mail daemon on the same host you must do the following:

1) add a virtual IP address for the daemon to answer. The IP address in the config section should be left commented out so that the daemon will bind to INADDR_ANY.

In your startup sequence, execute the following: (example for Linux)

  # Edit for your setup.
  NETMASK=""       # REPLACE with YOUR netmask!
  NETWORK=""             # REPLACE with YOUR network address!
  BROADCAST=""         # REPLACE with YOUR broadcast address
  # assign a virtual IP address

  # assign ethernet device
  DEVICE="eth0"                 # REPLACE with your external device

  # Note:       the "real" IP address has no LUN
  #             virtual IP's are assigned LUN's starting with '0'
  # i.e.        host IP =       eth0
  # virtIP         LUN 0   eth0:0
  # virtIP         LUN 1   eth0:1

  /sbin/ifconfig ${IFACE} ${IPADDR} broadcast ${BROADCAST} netmask ${NETMASK}
  /sbin/route add ${IPADDR} dev ${IFACE}
  echo Configuring $IFACE as $IPADDR
2) run the honeypot daemon on an unused port.

Select a high port number that will not interfere with normail operation of the host SMTP daemon or other services on the host.

  i.e.  in the config section of

        port    => 10025,
3) add packet filter rules to redirect queries.

This example is for IPTABLES on Linux. Similar rules would apply for other filter packages.

  # allowed chain for TCP connections
  iptables -N allowed
  iptables -A allowed -p tcp --syn -j ACCEPT
  iptables -A allowed -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A allowed -p tcp -j DROP

  # drop all external packets target on honeypot daemon
  iptables -t nat -A PREROUTING -p tcp -s 0/0 --dport 10025 -j DROP
  iptables -t nat -A PREROUTING -p tcp -d --dport 25 -j REDIRECT --to-port 10025
  # alternate DNAT statement
  # iptables -t nat -a PREROUTING -p tcp -d --dport 25 -j DNAT --to

  ## if you are running SpamCannibal, add this rule to capture IP's of connecting hosts
  ## iptables -A INPUT -p tcp -i eth0 --dport 10025 -j QUEUE

  # allow the internal port to connect
  iptables -A INPUT -p tcp -s 0/0 --dport 10025 -j allowed


Only one function is exported by This function is called in the script to launch the honeypot daemon.


Copyright 2004 - 2014, Michael Robinton <>

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License (except as noted otherwise in individuals sub modules) published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.


Michael Robinton <>


Mail::SpamCannibal on CPAN or

syntax highlighting: